[Openswan dev] Working KLIPS, but but with a few minor issues

David McCullough david_mccullough at mcafee.com
Wed Apr 14 07:15:16 EDT 2010


Jivin Harald Jenny lays it down ...
> Hi David,
> 
> can't confirm attached patch fixes problem, sorry...

Thats ok,  it fixed it for me,  at least with the simple test I gave it.

Thanks,
Davidm

> On Wed, Apr 14, 2010 at 11:44:35AM +1000, David McCullough wrote:
> > 
> > Jivin Ruben Laban lays it down ...
> > > Hello list,
> > > 
> > > Latest git has a working KLIPS stack again:
> > > * Compiles fine
> > > * Loads fine
> > > * En/Decrypts fine
> > > * Unloads fine
> > > * etc
> > > 
> > > However, I did notice a few minor issues:
> > > * Bringing down/replacing a tunnel isn't "clean":
> > > 
> > > # ipsec auto --down tunnel2        
> > > 003 "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
> > 
> > Ok,  should have looked harder when I found the other one.
> > I think the attached patch should fix it,  haven't had a chance to try it
> > yet though,
> > 
> > Cheers,
> > Davidm
> > 
> > > Replace:
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2": deleting connection
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #12: deleting state (STATE_MAIN_I4)
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: deleting state (STATE_QUICK_I2)
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_parse: satype 1 conversion to proto failed for msg_type 14 (x-addflow(eroute)). 
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22. 
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_msg_build of flow eroute_connection replace with shunt failed, code -22
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> > > 
> > > Down:
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2": terminating SAs using this connection
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: deleting state (STATE_QUICK_I2)
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: pfkey_lib_debug:pfkey_msg_hdr_build: satype 88 > max 9 
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #13: deleting state (STATE_MAIN_I4)
> > > 
> > > * The use of leftsourceip= generates an error in the log, but does work at advertized (as far as I could see):
> > > 
> > > Apr 13 20:36:30 vn-t-fw01 pluto[5197]: "tunnel2" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 172.16.1.0/24 dev ipsec0 src 172.16.4.11' failed (RTNETLINK answers: No such file or directory)
> > > 
> > > * While running some tests during this email I got this one, --replace followed by --up:
> > > 
> > > # ipsec auto --up tunnel2         
> > > 104 "tunnel2" #15: STATE_MAIN_I1: initiate
> > > 003 "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> > > 003 "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> > > 106 "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> > > 108 "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> > > 003 "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> > > 004 "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> > > 117 "tunnel2" #16: STATE_QUICK_I1: initiate
> > > 003 ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> > > 032 "tunnel2" #16: STATE_QUICK_I1: internal error
> > > 
> > > In log:
> > > Apr 13 20:33:52 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: initiating Main Mode
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.10'
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#15 msgid:e4021180 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 
> > > pfsgroup=OAKLEY_GROUP_MODP1536}
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 0e 00 09  17 00 00 00  47 00 00 00  3b 12 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 01 00  00 00 10 0b  00 00 00 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 05 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 03 15  00 00 00 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 06 00  00 00 00 00  02 00 00 00  ac 10 02 0a
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 15 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ac 10 04 00  00 00 00 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 16 00  00 00 00 00  02 00 00 00  ac 10 01 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00  03 00 17 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   02 00 00 00  ff ff ff 00  00 00 00 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   03 00 18 00  00 00 00 00  02 00 00 00  ff ff ff 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: |   00 00 00 00  00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | raw_eroute result=0 
> > > 
> > > This is the configuration I used for these test:
> > > 
> > > (Local is right in this case, using identical config on both end, except for protostack=, remote is netkey)
> > > (Kernel used on this particular instance is a 2.6.24 based Ubuntu kernel)
> > > 
> > > # /etc/ipsec.conf - Openswan IPsec configuration file
> > > # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> > > 
> > > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> > > #
> > > # Manual:     ipsec.conf.5
> > > 
> > > 
> > > version 2.0     # conforms to second version of ipsec.conf specification
> > > 
> > > # basic configuration
> > > config setup
> > >         # Do not set debug options to debug configuration issues!
> > >         # plutodebug / klipsdebug = "all", "none" or a combation from below:
> > >         # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> > >         # eg:
> > >         # plutodebug="control parsing"
> > >         #
> > >         # enable to get logs per-peer
> > >         # plutoopts="--perpeerlog"
> > >         #
> > >         # Again: only enable plutodebug or klipsdebug when asked by a developer
> > >         #
> > >         # NAT-TRAVERSAL support, see README.NAT-Traversal
> > >         nat_traversal=yes
> > >         # exclude networks used on server side by adding %v4:!a.b.c.0/24
> > >         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> > >         # OE is now off by default. Uncomment and change to on, to enable.
> > >         oe=off
> > >         # which IPsec stack to use. netkey,klips,mast,auto or none
> > >         protostack=klips
> > >         #protostack=mast
> > >         #protostack=netkey
> > >         dumpdir=/tmp
> > > 
> > > 
> > > # Add connections here
> > > 
> > > # sample VPN connection
> > > # for more examples, see /etc/ipsec.d/examples/
> > > #conn sample
> > > #               # Left security gateway, subnet behind it, nexthop toward right.
> > > #               left=10.0.0.1
> > > #               leftsubnet=172.16.0.0/24
> > > #               leftnexthop=10.22.33.44
> > > #               # Right security gateway, subnet behind it, nexthop toward left.
> > > #               right=10.12.12.1
> > > #               rightsubnet=192.168.0.0/24
> > > #               rightnexthop=10.101.102.103
> > > #               # To authorize this connection, but not actually start it, 
> > > #               # at startup, uncomment this.
> > > #               #auto=start
> > > conn tunnel2
> > >         left=172.16.2.10
> > >         leftsubnet=172.16.1.0/24
> > >         leftnexthop=172.16.2.20
> > >         leftsourceip=172.16.1.20
> > >         leftrsasigkey=0sAQN9...
> > >         right=172.16.3.21
> > >         rightsubnet=172.16.4.0/24
> > >         rightnexthop=172.16.3.10
> > >         rightsourceip=172.16.4.11
> > >         rightrsasigkey=0sAQOq...
> > >         ike=3des
> > >         phase2alg=3des
> > >         auto=add
> > > 
> > > -- 
> > > Regards,
> > > 
> > > Ruben Laban
> > > Senior Systems and Network Administrator
> > > ISM eCompany
> > > _______________________________________________
> > > Dev mailing list
> > > Dev at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/dev
> > > 
> > > 
> > 
> > -- 
> > David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> > McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> 
> > diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c
> > index bc73c0d..2f0a353 100644
> > --- a/programs/pluto/kernel_pfkey.c
> > +++ b/programs/pluto/kernel_pfkey.c
> > @@ -1253,7 +1253,7 @@ pfkey_shunt_eroute(struct connection *c
> >  			      , htonl(spi)
> >  			      , SA_INT
> >  			      , 0 /* transport_proto is not relevant */
> > -			      , SADB_X_SATYPE_INT, null_proto_info
> > +			      , ET_INT, null_proto_info
> >  			      , 0      /* use lifetime */
> >  			      , inop
> >  			      , opname);
> > @@ -1279,7 +1279,7 @@ pfkey_shunt_eroute(struct connection *c
> >  			      , htonl(spi)
> >  			      , SA_INT
> >  			      , sr->this.protocol
> > -			      , K_SADB_X_SATYPE_INT
> > +			      , ET_INT
> >  			      , null_proto_info, 0, op, buf2);
> >      }
> >  }
> > diff --git a/programs/pluto/kernel_pfkey.h b/programs/pluto/kernel_pfkey.h
> > index 4a87414..f92438f 100644
> > --- a/programs/pluto/kernel_pfkey.h
> > +++ b/programs/pluto/kernel_pfkey.h
> > @@ -42,7 +42,7 @@ extern bool pfkey_raw_eroute(const ip_address *this_host
> >  			     , ipsec_spi_t spi
> >  			     , unsigned int proto UNUSED
> >  			     , unsigned int transport_proto
> > -			     , unsigned int satype
> > +			     , enum eroute_type esatype
> >  			     , const struct pfkey_proto_info *proto_info UNUSED
> >  			     , time_t use_lifetime UNUSED
> >  			     , enum pluto_sadb_operations op
> 
> > _______________________________________________
> > Dev mailing list
> > Dev at openswan.org
> > http://lists.openswan.org/mailman/listinfo/dev
> 
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Dev mailing list